For couple last months I’d working on a script which should handle, theoretically, simple case – to print formula for a calculated field available on the dashboard.I must admit that at the beginning of this mini project I had no idea about xhr requests, cryptography and Undocumented API, so apart of having interesting task resolved I am super happy to learn something new.

To make this task harder, I needed to meet 2 strict requirements:

formula must always be the most updated one (getting it from repository is a no-no)

I cannot use any server-side language (no php, python, ruby)

Tableau provides very strong tool for such purposes – API. Unfortunately, you need to have X-Auth Token (workgroup_session_id )to perform queries against it and guess what – it’s stored in the HTTP cookie so there’s no way to obtain it using only Javascript. You have to use php or python. However, there’s no task to hard. Here’s the final result, mapped dashboard that supports both pasted XML (from .twb file) or getting data directly from the Tableau Server

Undocumented API

I’ve spent majority of time looking for an end to end solution that would handle my case using only Javascript. Unfortunately, even gurus like Tamas Foldi or Marc Jacobson provides only partial solutions. All of them based on a server-side languages. Breakthrough came with one of the post of the latter, stating that there’s some kind of undocumented API which provides part of the REST API functionality and can be accessed without X-AUTH token. It turned out that it’s an interface that vizsql uses to communicate with Server. However, to send requests you need X-XSRF-TOKEN but this can be obtained via JS using couple tricks.

RSA, PKCS and stuff

To get X-XSRF-TOKEN you need 3 components:

public key from your server

username

user password

2nd and 3rd can be fetched from a simple login form:

At this point, clarification should be made. This way of providing credentials over the Internet is in general not recommended due to security issues. However, encrypting data using RSA with additional PKCS 1-1.5 padding makes this method more secure. On top of that, you are acting only on disposable token and only on your server (solution must be implemented as a web data connector).

I have tried many libraries to encrypt my password using the public key but only combination of forge and jsencrypt solved my problem.

Getting the Token

I am using $.ajax() from the jQuery library as it’s easiest to use. I tried to get the data with xhr/http request at first, but it was getting to complicated (mostly due to xml payload). Subsequent queries relies on this one (as you get token here) so you want to make sure that you have this one right.

Getting sweet content

Now having the token returned, we can play around and fetch all the data that undocumented API serves. But remember, the ultimate goal is to get XML definition of the desired workbook. So let’s start with getting all the projects we have on the server.

Yes, it is that simple. select the desired one.
As I am interested only in getting workbooks that are only in the Default project, I just iterate through all of them to get the whole list. Then I take the project id and use it in the next query to push all dashboards into the dashboard object. Having dashboards in object I can print them to the UI and wait for the user to

And now this is the moment where fun begins. Undocumented API provides URL to .twb file of the dashboard. In theory one could open twb file directly with http request but.. This URL points to .twbx file instead which is essentially a ZIP. That’s why I added 1 more library which unzips file in memory and reads the twb file which is inside.